NCP is continuously restarting when a Distributed Firewall rule is manually created in a Firewall section created by NCP
Article ID: 326348
Updated On:
Products
VMware NSX
Issue/Introduction
- NCP logs (ctl.stdout.log) display message(s) indicating NCP is continuously restarting, similar to:
Start NSX Container Plugin------------ STARTING ctl at Sun Mar 8 08:02:04 UTC 2020 --------------Removing stale pidfileStart NSX Container Plugin------------ STARTING ctl at Sun Mar 8 08:02:55 UTC 2020 --------------Removing stale pidfileStart NSX Container Plugin------------ STARTING ctl at Sun Mar 8 08:03:06 UTC 2020 --------------Removing stale pidfileStart NSX Container Plugin - For each NCP restarts, NCP logs (ncp.stdout.log) display message(s) similar to:
NSX 4261 - [nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="CRITICAL"] nsx_ujo.ncp.main Failed to initialize container orchestrator adaptor: 'service'
NSX 4468 - [nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="CRITICAL"] nsx_ujo.ncp.main Failed to initialize container orchestrator adaptor: 'service'NSX 4711 - [nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="CRITICAL"] nsx_ujo.ncp.main Failed to initialize container orchestrator adaptor: 'service'
Note: the keyword service here may differ but the rest of the message should be similar.
- Distributed Firewall rules are created manually in the Firewall section created by NCP.
Environment
VMware NSX-T Data Center 3.x
VMware NSX 4.x
Cause
When NCP starts, it parses the Distributed Firewall (DFW) rules in the Firewall section created by NCP. If NCP cannot validate one of the rule, it restarts.
Users are not allowed to modify NCP-created entries hence DFW rules should not be created in the Firewall sections created by NCP.
Users are not allowed to modify NCP-created entries hence DFW rules should not be created in the Firewall sections created by NCP.
Resolution
Delete the DFW rules created in the Firewall section created by NCP as this is not a supported configuration
Feedback
Yes
No
Powered by
